A new phishing campaign leverages Microsoft’s Azure Blob storage to steal users’ Microsoft account credentials

• The first phishing campaign claims that users’ information is outdated and urges recipients to log in to Microsoft Office 365 account in order to update information.
• The second phishing campaign aims to steal users’ Microsoft account credentials from Facebook Workplace users by sending ‘Facebook notification’ phishing emails.

What's the issue - Researchers from EdgeWave observed two distinct phishing campaigns targeting users’ Outlook and Microsoft account credentials.

Worth noting - Both the phishing landing pages use Azure Blob storage in order to make the landing pages look legitimate.

The first campaign

• The first phishing campaign claiming users information to be outdated urges recipients to log in to Microsoft Office 365 account in order to update information.
• The phishing emails contain subject lines such as ‘Action Required: <email address> information is outdated - Re-validate now!!’.
• The email body includes a malicious link that redirects users to a phishing landing page when clicked.
• The phishing landing page masquerades as the organization’s Outlook Web App.
• The landing page contains a login form and urges users to enter their Outlook credentials.

The second campaign

• The second phishing campaign aims to steal users’ Microsoft account credentials from Facebook Workplace users by sending ‘Facebook notification’ phishing emails.
• The phishing emails include multiple malicious links that redirect users to a fake Microsoft 365 login page.
• The fake Microsoft page appears to be legitimate as it uses the same background and same login form.

Azure Blob Storage

Azure Blob Storage adds legitimacy to both the phishing landing pages as it uses the secure ‘windows.net’ domain and a wildcard SSL certificate. Moreover, the SSL certificate is signed by Microsoft.

“Messages like these continue to reach user’s inboxes, prompting them to click with enticing (alarming) content. The question is no longer “why do these evade my email security gateway” but should be “how do I arm my users?” The inbox is the new email battleground and requires a new approach to security,” researchers from EdgeWave concluded.